Disruption and Destruction

CIA as Security Objectives V2

When it comes to information security, which is the opposite of availability? Disruption or destruction? I prefer disruption to destruction.

The scope of information security includes information and information systems, and the context determines their availability. Destruction ruins the availability of information, while disruption breaches the availability of information systems. The availability of information depends on the availability of information systems.

As information itself is not accessible or usable, information consumers shall get access to or use the information with some tools or instruments, no matter the information is at rest, in motion, and in use. As a result, I assume the “access to and use of information” shall be realized through the information system, as defined in the “Information system” section.

Disruption over Destruction

Given:

  • Information depends on the information system.
  • The opposite of the availability of information means information is not available.

The following logic justifies the conclusion:

  • If information is available, then the information system is available.
  • If the information system is NOT available, then information is NOT available.
  • That means, if the information system is disrupted, then information is NOT available.
  • We can conclude that disruption is the opposite of the availability of information.

Information System

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. In the context of this publication, the definition includes the environment in which the information system operates (i.e., people, processes, technologies, facilities, and cyberspace). (NIST SP 800-39)

An information system typically comprises components such as 1) data, 2) computer systems, 3) operating systems, 4) software, 5) networks, 6) data centers, 7) people, 8) business processes, and so forth. My book, The Effective CISSP: Security and Risk Management, introduced the Peacock Model as a metaphor for the information system.

The Peacock Model

The Peacock Model is a metaphor of information systems that extends the definition defined by 44 U.S.C, Sec 3502, and aligns with this definition of NIST SP 800-39, as stated above. It treats People and Business Processes as extensions and part of an information system, as an information system is implemented and operated by people to support business processes.

The Peacock

Peacock Model

Leave a Reply